[ACCEPTED]-Is there a difference between ECDH and ECDSA keys?-elliptic-curve

Accepted answer
Score: 35

ECDSA and ECDH are from distinct standards 47 (ANSI X9.62 and X9.63, respectively), and 46 used in distinct contexts. X9.63 explicitly 45 reuses elements from X9.62, including the 44 standard representation of public keys (e.g. in 43 X.509 certificates). Hence, ECDSA and ECDH 42 key pairs are largely interchangeable. Whether 41 a given implementation will permit such 40 exchange, however, is an open question. Historically, (EC)DSA 39 and (EC)DH come from distinct worlds.

Note, though, that 38 usage contexts are quite distinct. There 37 is a bit more to cryptography than computations 36 on elliptic curves; the "key lifecycle" must 35 be taken into account. In plain words, you 34 do not want to manage key agreement keys 33 and signature keys with the same procedures. For 32 instance, if you lose your key agreement 31 key (your dog eats your smartcard -- do 30 not laugh, it really happens), then you 29 can no longer decrypt data which was encrypted 28 relatively to that key (e.g. encrypted emails 27 sent to you, and stored in encrypted format). From 26 a business point of view, the loss of a 25 key can also be the loss of an employee 24 (the employee was fired, and was struck 23 by a bus, or retired, or whatever). Hence, encryption 22 keys (including key agreement keys) must 21 often be escrowed (for instance, a copy 20 of the private key is printed and stored 19 in a safe). On the other hand, loss of a 18 signature key implies no data loss; previously 17 issued signatures can still be verified; recovering 16 from such a loss is as simple as creating 15 a new key pair. However, the existence of 14 an escrow system tends to automatically 13 strip signatures of any legal value that 12 could be attached to them.

Also, on a more 11 general basis, I would strongly advise against 10 using the same private key in two distinct 9 algorithms: interactions between algorithms 8 have not been fully explored (simply studying 7 one algorithm is already hard work). For 6 instance, what happens if someone begins 5 to feed your ECDH-based protocol with curve 4 points extracted from ECDSA signatures which 3 you computed with the same private key ?

So 2 you really should not reuse the same key 1 for ECDH and ECDSA.

More Related questions